Hossein Zahed

Web Developer, Entrepreneur, Software Educator

How to remove number in parenthesis near website/project name in Solution Explorer

In file C:\Users\Username\Documents\IISExpress\config\applicationhost.config, under section

<sites>

...

</sites>

You see all the websites / projects you have ever opened / created. You may delete some of these records carefully so that the numbers in parenthesis will be disappear in the solution explorer window.

ASP.NET Security Architecture Cheat Sheet For Very Busy Architects

Application Security Meeting

From my experience application security meetings are usually hard to manage since the participants do not share common language. Security guys come from infrastructure background and developers usually ... just hate security. There is a communication gap that results in antagonism prolonging the problem instead of solving it. There is the need for common language that everyone understands. The cheat sheet below helped me many times to establish the common ground for fruitful discussion. It is based on JD Meier's epic works:

Have fun.

The Cheat Sheet

Architecture and Design Issues for Web Applications

ASP.NET Security Architecture

Building Secure Assemblies

The main threats are:

  • Unauthorized access or privilege elevation, or both
  • Code injection
  • Information disclosure
  • Tampering

Secure .Net assemblies

Building Secure ASP.NET Pages and Controls

The main threats are:

  • Code injection
  • Session hijacking
  • Identity spoofing
  • Parameter manipulation
  • Network eavesdropping
  • Information disclosure

Secure ASP.NET pages

Building Secure Serviced Components

The main threats are:

  • Network eavesdropping
  • Unauthorized access
  • Unconstrained delegation
  • Disclosure of configuration data
  • Repudiation

Secure Serviced Components

Building Secure Web Services

The main threats are:

  • Unauthorized access
  • Parameter manipulation
  • Network eavesdropping
  • Disclosure of configuration data
  • Message replay

Secure Web Services

Building Secure Remoted Components

The main threats are:

  • Unauthorized access
  • Network eavesdropping
  • Parameter manipulation
  • Serialization

Secure Remoted Components

Building Secure Data Access

The main threats are:

  • SQL injection
  • Disclosure of configuration data
  • Disclosure of sensitive application data
  • Disclosure of database schema and connection details
  • Unauthorized access
  • Network eavesdropping

Secure Data Access Components

 

Complimentary questionnaire

 

 

Identify threats

Identify vulnerabilities

Common Vulnerabilities

Authentication

·          How could an attacker spoof identity?

·          How could an attacker gain access to the credential store?

·          How could an attacker mount a dictionary attack? How are your user's credentials stored and what password policies are enforced?

·          How can an attacker modify, intercept, or bypass your user's credential reset mechanism?

 

·          Are user names and passwords sent in clear text over an unprotected channel? Is any ad hoc cryptography used for sensitive information?

·          Are credentials stored? If they are stored, how are they stored and protected?

·          Do you enforce strong passwords? What other password policies are enforced?

·          How are credentials verified?

·          How is the authenticated user identified after the initial logon?

 

·          Passing authentication credentials or authentication cookies over unencrypted network links, which can lead to credential capture or session hijacking

·          Using weak password and account policies, which can lead to unauthorized access

·          Mixing personalization with authentication

 

Authorization

·          How could an attacker influence authorization checks to gain access to privileged operations?

·          How could an attacker elevate privileges?

 

·          What access controls are used at the entry points of the application?

·          Does your application use roles? If it uses roles, are they sufficiently granular for access control and auditing purposes?

·          Does your authorization code fail securely and grant access only upon successful confirmation of credentials?

·          Do you restrict access to system resources?

·          Do you restrict database access?

·          How is authorization enforced at the database?

 

·          Using over-privileged roles and accounts

·          Failing to provide sufficient role granularity

·          Failing to restrict system resources to particular application identities

 

Input and Data Validation

·          How could an attacker inject SQL commands?

·          How could an attacker perform a cross-site scripting attack?

·          How could an attacker bypass input validation?

·          How could an attacker send invalid input to influence security logic on the server?

·          How could an attacker send malformed input to crash the application?

 

·          Is all input data validated?

·          Do you validate for length, range, format, and type?

·          Do you rely on client-side validation?

·          Could an attacker inject commands or malicious data into the application?

·          Do you trust data you write out to Web pages, or do you need to HTML-encode it to help prevent cross-site scripting attacks?

·          Do you validate input before using it in SQL statements to help prevent SQL injection?

·          Is data validated at the recipient entry point as it is passed between separate trust boundaries?

·          Can you trust data in the database?

·          Do you accept input file names, URLs, or user names? Have you addressed canonicalization issues?

 

·          Relying exclusively on client-side validation

·          Using a deny approach instead of allow for filtering input

·          Writing data you did not validate out to Web pages

·          Using input you did not validate to generate SQL queries

·          Using insecure data access coding techniques, which can increase the threat posed by SQL injection

·          Using input file names, URLs, or user names for security decisions

 

Configuration Management

·          How could an attacker gain access to administration functionality?

·          How could an attacker gain access to your application's configuration data?

 

·          How do you protect remote administration interfaces?

·          Do you protect configuration stores?

·          Do you encrypt sensitive configuration data?

·          Do you separate administrator privileges?

·          Do you use least privileged process and service accounts?

 

·          Storing configuration secrets, such as connection strings and service account credentials, in clear text

·          Failing to protect the configuration management aspects of your application, including administration interfaces

·          Using over-privileged process accounts and service accounts

 

Sensitive Data

·          Where and how does your application store sensitive data?

·          When and where is sensitive data passed across a network?

·          How could an attacker view sensitive data?

·          How could an attacker manipulate sensitive data?

 

·          Do you store secrets in persistent stores?

·          How do you store sensitive data?

·          Do you store secrets in memory?

·          Do you pass sensitive data over the network?

·          Do you log sensitive data?

 

·          Storing secrets when you do not need to store them

·          Storing secrets in code

·          Storing secrets in clear text

·          Passing sensitive data in clear text over networks

 

Session Management

·          Do you use a custom encryption algorithm, and do you trust the algorithm?

·          How could an attacker hijack a session?

·          How could an attacker view or manipulate another user's session state?

 

·          How are session cookies generated?

·          How are session identifiers exchanged?

·          How is session state protected as it crosses the network?

·          How is session state protected to prevent session hijacking?

·          How is the session state store protected?

·          Do you restrict session lifetime?

·          How does the application authenticate with the session store?

·          Are credentials passed over the network and are they maintained by the application? If they are, how are they protected?

 

·          Passing session identifiers over unencrypted channels

·          Prolonged session lifetime

·          Insecure session state stores

·          Session identifiers in query strings

 

Cryptography

·          What would it take for an attacker to crack your encryption?

·          How could an attacker obtain access to encryption keys?

·          Which cryptographic standards are you using? What, if any, are the known attacks on these standards?

·          Are you creating your own cryptography?

·          How does your deployment topology potentially impact your choice of encryption methods?

 

·          What algorithms and cryptographic techniques are used?

·          Do you use custom encryption algorithms?

·          Why do you use particular algorithms?

·          How long are encryption keys, and how are they protected?

·          How often are keys recycled?

·          How are encryption keys distributed?

 

·          Using custom cryptography

·          Using the wrong algorithm or a key size that is too small

·          Failing to protect encryption keys

·          Using the same key for a prolonged period of time

 

Parameter Manipulation

·          How could an attacker manipulate parameters to influence security logic on the server?

·          How could an attacker manipulate sensitive parameter data?

 

·          Do you validate all input parameters?

·          Do you validate all parameters in form fields, view state, cookie data, and HTTP headers?

·          Do you pass sensitive data in parameters?

·          Does the application detect tampered parameters?

 

·          Failing to validate all input parameters. This makes your application susceptible to denial of service attacks and code injection attacks, including SQL injection and XSS.

·          Including sensitive data in unencrypted cookies. Cookie data can be changed at the client or it can be captured and changed as it is passed over the network.

·          Including sensitive data in query strings and form fields. Query strings and form fields are easily changed on the client.

·          Trusting HTTP header information. This information is easily changed on the client.

 

Exception Management

·          How could an attacker crash the application?

·          How could an attacker gain useful exception details?

 

·          How does the application handle error conditions?

·          Are exceptions ever allowed to propagate back to the client?

·          What type of data is included in exception messages?

·          Do you reveal too much information to the client?

·          Where do you log exception details? Are the log files secure?

 

·          Failing to validate all input parameters

·          Revealing too much information to the client

 

Auditing and Logging

·          How could an attacker cover his or her tracks?

·          How can you prove that an attacker (or legitimate user) performed specific actions?

 

·          Have you identified key activities to audit?

·          Does your application audit activity across all layers and servers?

·          How are log files protected?

 

·          Failing to audit failed logons

·          Failing to protect audit files

·          Failing to audit across application layers and servers

 

 

Related Materials

50 Must-have plugins for extending Twitter Bootstrap

Collections of Bootstrap Enhancements

We will start off with two collections of Bootstrap plugins that are the perfect companions to the framework.

Fuel UX

Fuel UX is an incredible collection of enhancements to Twitter Bootstrap. All the controls are clean and lightweight, and they fit naturally into the bootstrap look and feel. The collection includes controls like datagrids, custom select boxes, spinners, trees, multi-step form wizards and more.

Website | Github

Fuel UX

Fuel UX

Jasny

Jasny is another collection of useful interface components for bootstrap. It features controls like input masks, file upload buttons, icons, additional form styles and more. You can either get a version of bootstrap with all the changes integrated, or you can download them separately as plugins.

Website | Github

Jasny Bootstrap

Jasny Bootstrap

Galleries

It is worth noting that you can use any regular jQuery plugin with your bootstrap-powered website. This means that any of the galleries from our jQuery plugin collection will work perfectly fine. What these plugins won’t have though, is bootstrap’s design language and way of doing things. For this reason, check out these three plugins specifically created with bootstrap in mind:

Bootstrap Lightbox

Bootstrap does include a carousel, but it falls short when you need to show a photo in a lightbox. This is where the simple Bootstrap Lightbox plugin comes into play. All you need to do is add the required HTML to the page, and you get a pretty and responsive lightbox with an optional caption.

Website | Github

Bootstrap Lightbox

Bootstrap Lightbox

Simple Lightbox

Simple Lightbox is another lightbox plugin that is simpler that the one above. It requires only that you add a data attribute to the image and to initialize the plugin.

Website

Simple Lightbox

Simple Lightbox

Bootstrap Image Gallery

Bootstrap Image Gallery is a complete gallery solution for bootstrap. After you include the needed files in your page, you get a grid of images which open in modal windows. The gallery can also optionally go into fullscreen mode. Note that there is now an improved version of this plugin which drops the Bootstrap requirement, so you can use it in any project.

Website | Github

Bootstrap Image Gallery

Bootstrap Image Gallery

Dialogs and Notifications

Bootstrap comes with a good modal window implementation out of the box. These plugins make it even better.

Bootbox.js

Bootbox.js is a small JavaScript library that automates the process of creating bootstrap dialogs. It creates the needed markup for you, so all you have to do to trigger a bootstrap dialog is to call a function. It mimics the built-in browser dialogs like alert, confirm and prompt.

Website | Github

Bootbox.js

Bootbox.js

Bootstrap Modal

Bootstrap Modal extends the default bootstrap modal class. It makes the default dialogs responsive and adds the ability to load their content via AJAX automatically for you.

Website | Github

Bootstrap Modal

Bootstrap Modal

Bootstrap Growl

Bootstrap Growl is a jQuery plugin which turns Bootstrap’s notifications into pretty Growl-like alerts. Notifications can be heavily customized; you can choose the position on the screen, dimensions offsets and time to fade out.

Github

Bootstrap Growl

Bootstrap Growl

Bootstrap Notify

Bootstrap Notify is a user-friendly extension to bootstrap notifications. Like the growl plugin above, here you can also heavily customize every aspect of the notifications and where they are shown.

Website | Github

Bootstrap Notify

Bootstrap Notify

Forms

Forms are the necessary evil of web development. They may be tedious and boring to create and to fill in, but they occupy a very important place in our online interactions. Bootstrap brings a long list of enhancements to forms in terms of usability and presentation. It may not offer much else, but the plugins in this section do a great job at changing that.

Bootstrap Form Helpers

Bootstrap Form Helpers is an indispensable collection for enhancing web forms. It comes with 12 custom jQuery plugins that give you everything from date and time pickers, font lists, timezone, language and country fields and more.

Website | Github

Bootstrap Form Helpers

Bootstrap Form Helpers

Bootstrap Tags

Bootstrap Tags is a plugin which can enhance your search boxes by presenting the search terms as tags. The plugin also supports filters, placeholders, popovers and autosuggest as well as a full set of callback functions so you can hook it up with your code. Similar plugins are Tags Manager and Bootstrap Tag.

Website | Github

Bootstrap Tags

Bootstrap Tags

Bootstrap Switch

No mobile interface is complete without a iOS-like switch control, and Bootstrap Switch gives you a perfect implementation that fits nicely into the Bootstrap design language. You can customize the size of the control and the colors by assigning class names to the element. The plugin is really simple to set up, as it wraps around an existing checkbox.

Website | Github

Bootstrap Switch

Bootstrap Switch

Bootstrap Markdown

I’ve mentioned markdown on Tutorialzine before (we even made a lightweight blog system with it ). Bootstrap markdown makes it possible to add markdown editing functionality seamlessly to your projects.

Website | Github

Bootstrap Markdown

Bootstrap Markdown

Bootstrap Maxlength

Bootstrap Maxlength is a neat little plugin which detects the HTML maxlength property of a textfield, and displays an interactive counter of the remaining characters. It is a great addition to text boxes and text areas.

Website | Github

Bootstrap Maxlength

Bootstrap Maxlength

Bootstrap Select

Bootstrap favors native browser controls, which is the reason it doesn’t expose any customization options for them. However, in some projects it is useful to have customizable controls like select boxes, which is exactly what Bootstrap Select does. This plugin gives you a pretty and customizable select box which looks great in your page. For an alternative try with SelectBoxIt, or one of the other well-known plugins like Select2or Chosen.

Website | Github

Bootstrap Select

Bootstrap Select

Bootstrap Multiselect

And for select inputs without the multiple attribute, you can use Bootstrap Multiselect. The plugin creates an intuitive interface for using select inputs with the multiple attribute present. Instead of a select, a bootstrap button will be shown as a dropdown menu containing the single options as checkboxes.

Website | Github

Bootstrap Multiselect

Bootstrap Multiselect

Bootstrap WYSIHTML5

Bootstrap WYSIHTML5 is a beautiful rich text editor for bootstrap that comes in the form of an easy to embed JavaScript plugin. It gives you only basic functionality, but this will be fine for 90% of the use cases. For a bit more advanced editor, try this one or the insanely powerful TinyMCE.

Website | Github

Bootstrap WYSIHTML5

Bootstrap WYSIHTML5

Bootstrap Form Wizard

It is a good practice to split long forms into smaller, contextually similar chunks. This makes them a bit easier to handle. The Bootstrap Form Wizard does that for you and more.

Website | Github

Bootstrap Form Wizard

Bootstrap Form Wizard

jqBootstrapValidation

jqBootstrapValidation is a plugin that makes it easy to validate your Bootstrap forms. It is easy to include into your project and all the validation rules are described as data attributes on the input elements. If you need an alternative plugin, take a look at nod.

Website | Github

jqBootstrapValidation

jqBootstrapValidation

jQuery File Upload

jQuery File Upload is a very powerful and versatile file uploading plugin. See our tutorial about it here. The plugin is not strictly for bootstrap, but all the examples of their homepage use the frontend framework extensively.

Website | Github

jQuery File Upload

jQuery File Upload

Bootstrap Tag Autocomplete

Bootstrap Tag Autocomplete is a library which adds twitter and facebook-like mentions to your content editable text areas. It takes an array of available completions and inserts them as nodes in the text area on a match.

Website | Github

Bootstrap Tag Autocomplete

Bootstrap Tag Autocomplete

Date and Time Pickers

Your web application probably requires dates to be formatted in a specific way, and expecting people to manually type them in is a road that can only lead to frustration. The better approach is to have a widget which lets users simply click or tap on the date they need. The plugins in this category add such functionality to your Bootstrap forms.

Daterangepicker

Daterangepicker is a plugin for Bootstrap that is the perfect addition to your reports page. It lets users choose preset time periods like the last 7 or 30 days (you can define your own presets) and they can also choose an arbitrary time intervals. You only need to pass a few callback functions when instantiating the plugin, and you are ready to go. Check out a tutorial where we used this plugin to update a chart.

Website | Github

Daterangepicker

Daterangepicker

Bootstrap Timepicker

Bootstrap Timepicker is a pretty and touch friendly plugin that lets you turn text fields into time selection controls. It doesn’t have support for dates, but for that you can use one of the next plugins.

Website | Github

Bootstrap Timepicker

Bootstrap Timepicker

Clockface

Clockface is an alternative plugin to the one above. It presents the hours and minutes as text labels in a circle. While it is a bit ugly for my taste, I give it points for originality.

Website | Github

Clockface

Clockface

Bootstrap Datetime

Bootstrap Datetime Picker is a fully featured plugin that lets you turn a text field into a handy date and time picker control. The plugin is pretty and fits nicely with the framework’s design language. It is also fairly easy to customize with CSS. For an alternative check out this plugin.

Website | Github

Bootstrap Datetime

Bootstrap Datetime

Bic_Calendar

Bic_Calendar is a simple calendar widget that can show events loaded through AJAX. An example PHP script is included that outputs the events as a JSON object. The events are then displayed on the calendar and shown in a popup.

Website | Github

Bic_Calendar

Bic_Calendar

Color Pickers

Entering colors is another area that users need help with. You can’t simply think of a color and write down its hex value – you need to visualize it in some way. The plugins listed here help you alleviate this problem by creating color picker controls and swatches.

Pick a Color

Pick a Color is a bootstrap addon that shows an advanced color picker. You can choose colors by modifying one of the presets, by choosing a previously saved one, or generating a color by modifying the hue, saturation and lightness components.

Website | Github

Pick a Color

Pick a Color

Colorpicker for Bootstrap

Colorpicker for Bootstrap is a more traditional color picker – you get a Photoshop-like widget that lets you choose the main color and specific hues. I personally find this easier to use than the above plugin.

Website | Github

Colorpicker for Bootstrap

Colorpicker for Bootstrap

Color Palette

Color Palette is a Bootstrap plugin that displays a grid of color swatches when a text field is focused. The plugin is easy to integrate with your bootstrap project.

Website | Github

Color Palette

Color Palette

Tables

Bootstrap already offers basic table styles that do a great job with simple data. However, what if you’d like that data to be sortable, searchable and presentable on multiple pages? Read on.

Tablecloth

Tablecloth is a plugin that makes your tables pretty. It comes with a number of built-in styles, and it uses plugins like tablesorter internally to make the data in your tables sortable.

Website | Github

Tablecloth

Tablecloth

Data Tables

Data Tables is another table enhancing addon for Bootstrap. This plugin not only makes your tables sortable, but it also makes use of the framework’s pagination controls and makes the data searchable.

Website

Data Tables

Data Tables

Interface Enhancements

This section contains various plugins that enhance the interface of your web app.

jQuery Bootpag

jQuery Bootpag is an enhanced bootstrap pagination plugin. It is very easy to set up – you only have to pass a callback function and listen for the page event. Inside that function, you can update the container element with the content that you need.

Website | Github

jQuery Bootpag

jQuery Bootpag

Tocify

Tocify is a table of contents plugin. It scans your page on DOMReady, looking for headings, and creates a Bootstrap – styled table of contents dynamically.

Website | Github

Tocify

Tocify

Bootstrap Link Preview

Bootstrap Link Preview is a JavaScript library offering a Facebook-like preview for URLs. It is very simple to use and weighs just a few kilobytes. To work around the same origin policy it depends on a PHP script though.

Website | Github

Bootstrap Link Preview

Bootstrap Link Preview

Tab drop

Tab drop is a neat plugin that hides your tabs in a dropdown if they don’t fit in a single row. This can come handy when designing responsive sites that need to work on small screens.

Website

Tab drop

Tab drop

Flippant.js

Flippant.js is a tiny plugin that lets you flip elements to reveal further content with a smooth CSS transition. You can put any content on the back side – simply pass it as an argument to the function call.

Website | Github

Flippant.js

Flippant.js

Hover Dropdown

Another interface enhancement for Bootstrap. With the Hover Dropdown plugin you can activate the framework’s dropdowns on hover in addition to click. This can make for a better user experience with your site.

Website | Github

Hover Dropdown

Hover Dropdown

Social Buttons

Social Buttons is a collection of pretty social networking buttons built with Bootstrap and Font Awesome. This makes them very easy to scale and style.

Website | Github

Social Buttons

Social Buttons

Bootstro.js

Bootstro.js is a bootstrap plugin that lets you build a guided tour for new users. A tour consists of tooltips and overlays which explain the functions of your app. The plugin has plenty of options and callbacks, so it is easy to hook up with the rest of your code. For an alternative, checkout Bootstraptour.

Website | Github

Bootstro.js

Bootstro.js

AJAX

The Bootstrap extensions in this section handle inline editing of content with automatic syncing with your server, extend the framework with AJAX bindings and more.

X-editable

X-editable is a library that enhances Bootstrap with inline editing capability. Clicking an element that is set to be editable, will open up a bootstrap popup with a text field and buttons. In addition, it supports editing inline and has many different types of text controls including rich text editors and date pickers. On a successful edit, the plugin sends an AJAX request to your server.

Website | Github

X-editable

X-editable

Eldarion AJAX

With Eldarion AJAX you can extend bootstrap with automatic AJAX request handling. Simply add the ajaxclass to the button or link you wish to enhance, and the plugin will do the rest. It will send a request and replace the contents of the element with the response from the server. You can also submit forms in the same manner.

Website | Github

Eldarion AJAX

Eldarion AJAX

Typeahead

Typeahead is a library by twitter that offers a fast and fully featured autocomplete control for your site. It supports fetching autocomplete data via AJAX, caching, rate limiting and more. The most common selections are displayed as hints. The library is not dependent on bootstrap, but it can be easily integrated with it.

Website | Github

Typeahead

Typeahead

Conclusion

Bootstrap is a valuable addition to your web development toolbox. Knowing your way around the framework will let you build usable and responsive interfaces with ease. And with the plugins presented here, you can add advanced functionality that fits nicely with the rest of your site.